54294 2011-02-11 10:47:06 -0800 crashes in WebProcess at WebCore::Range::startPosition const + 16 2011-02-11 13:40:11 -0800 1 1 1 Unclassified WebKit WebKit2 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED InRadar, PlatformOnly P2 Normal --- 1 enrica enrica oldest_to_newest 349838 0 enrica 2011-02-11 10:47:06 -0800 see below the stack trace. Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 com.apple.WebCore 0x00007fff91721410 WebCore::Range::startPosition() const + 16 1 com.apple.WebCore 0x00007fff91834cdd WebCore::Editor::firstRectForRange(WebCore::Range*) const + 49 2 com.apple.WebKit2 0x00007fff8c6779e8 WebKit::WebPage::firstRectForCharacterRange(unsigned long long, unsigned long long, WebCore::IntRect&) + 212 3 com.apple.WebKit2 0x00007fff8c6b4b7b void CoreIPC::handleMessage<Messages::WebPage::FirstRectForCharacterRange, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::IntRect&)>(CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::IntRect&)) + 73 4 com.apple.WebKit2 0x00007fff8c6b3bec WebKit::WebPage::didReceiveSyncWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*) + 136 5 com.apple.WebKit2 0x00007fff8c691a59 WebKit::WebProcess::didReceiveSyncMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*) + 61 6 com.apple.WebKit2 0x00007fff8c64315f CoreIPC::Connection::dispatchSyncMessage(CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 117 7 com.apple.WebKit2 0x00007fff8c64327e CoreIPC::Connection::waitForSyncReply(unsigned long long, double) + 204 8 com.apple.WebKit2 0x00007fff8c6436f7 CoreIPC::Connection::sendSyncMessage(CoreIPC::MessageID, unsigned long long, WTF::PassOwnPtr<CoreIPC::ArgumentEncoder>, double) + 349 9 com.apple.WebKit2 0x00007fff8c678c53 bool CoreIPC::Connection::sendSync<Messages::WebPageProxy::InterpretKeyEvent>(Messages::WebPageProxy::InterpretKeyEvent const&, Messages::WebPageProxy::InterpretKeyEvent::Reply const&, unsigned long long, double) + 141 10 com.apple.WebKit2 0x00007fff8c677f8e WebKit::WebPage::interceptEditingKeyboardEvent(WebCore::KeyboardEvent*, bool) + 274 11 com.apple.WebKit2 0x00007fff8c6b2361 WebKit::WebEditorClient::handleInputMethodKeydown(WebCore::KeyboardEvent*) + 29 12 com.apple.WebCore 0x00007fff914340d8 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 578 13 com.apple.WebKit2 0x00007fff8c672d6c WebKit::WebPage::keyEvent(WebKit::WebKeyboardEvent const&) + 110 14 com.apple.WebKit2 0x00007fff8c6b4f1d void CoreIPC::handleMessage<Messages::WebPage::KeyEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)) + 77 15 com.apple.WebKit2 0x00007fff8c642cd6 CoreIPC::Connection::dispatchMessages() + 230 16 com.apple.WebKit2 0x00007fff8c659d5b RunLoop::performWork() + 83 17 com.apple.CoreFoundation 0x00007fff958fd11d __CFRunLoopDoSources0 + 253 18 com.apple.CoreFoundation 0x00007fff958fcae9 __CFRunLoopRun + 905 19 com.apple.CoreFoundation 0x00007fff958fc526 CFRunLoopRunSpecific + 230 20 com.apple.HIToolbox 0x00007fff8e494a07 RunCurrentEventLoopInMode + 277 21 com.apple.HIToolbox 0x00007fff8e494801 ReceiveNextEventCommon + 355 22 com.apple.HIToolbox 0x00007fff8e49468e BlockUntilNextEventMatchingListInMode + 62 23 com.apple.AppKit 0x00007fff93a57715 _DPSNextEvent + 659 24 com.apple.AppKit 0x00007fff93a5701a -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 25 com.apple.AppKit 0x00007fff93a1c095 -[NSApplication run] + 456 26 com.apple.WebKit2 0x00007fff8c693c13 WebKit::WebProcessMain(WebKit::CommandLine const&) + 400 27 com.apple.WebKit2 0x00007fff8c66fc3c WebKitMain + 268 28 com.apple.WebProcess 0x10b7add58 start + 52 349843 1 82143 enrica 2011-02-11 10:53:47 -0800 Created attachment 82143 patch 349845 2 82143 darin 2011-02-11 10:56:45 -0800 Comment on attachment 82143 patch We would be so much better off if we had a test case for this. When can convertToRange return 0? Maybe that will give us an idea how to reproduce. 349977 3 enrica 2011-02-11 13:36:28 -0800 (In reply to comment #2) > (From update of attachment 82143 [details]) > We would be so much better off if we had a test case for this. When can convertToRange return 0? Maybe that will give us an idea how to reproduce. I verified that we have regression tests for WebKit to test this scenario, but they are not enabled for WebKit2. platform/mac/editing/input/firstrectforcharacterrange-plain.html platform/mac/editing/input/firstrectforcharacterrange-styled.html produce the exact same crash signature when I run them with a version of WebKit with the null check removed. 349983 4 enrica 2011-02-11 13:40:11 -0800 http://trac.webkit.org/changeset/78363 82143 2011-02-11 10:53:47 -0800 2011-02-11 10:56:44 -0800 patch startposcrash.txt text/plain 1726 enrica SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDc4MzQ4KQorKysgU291cmNlL1dlYktpdDIvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTEtMDItMTEgIEVucmljYSBD YXN1Y2NpICA8ZW5yaWNhQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICBjcmFzaGVzIGluIFdlYlByb2Nlc3MgYXQgV2ViQ29yZTo6UmFu Z2U6OnN0YXJ0UG9zaXRpb24gY29uc3QgKyAxNgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NTQyOTQKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzg5ODI3 MTA+CisgICAgICAgIAorICAgICAgICBJIGRvbid0IGhhdmUgYSByZXBybyBjYXNlIGZvciB0aGlz IGJ1Z3MsIGJ1dCB0aGUgc2lkZS1ieS1zaWRlCisgICAgICAgIGNvbXBhcmlzb24gb2YgdGhlIElN RSBzdXBwb3J0IGltcGxlbWVudGF0aW9uIGluIFdlYktpdCBhbmQgV2ViS2kyCisgICAgICAgIHNo b3dzIGEgbWlzc2luZyBudWxsIGNoZWNrIG9uIGEgUmFuZ2UgdGhhdCBjb3VsZCB2ZXJ5IHdlbGwg ZXhwbGFpbgorICAgICAgICB0aGlzIGNyYXNoLgorCisgICAgICAgICogV2ViUHJvY2Vzcy9XZWJQ YWdlL21hYy9XZWJQYWdlTWFjLm1tOgorICAgICAgICAoV2ViS2l0OjpXZWJQYWdlOjpmaXJzdFJl Y3RGb3JDaGFyYWN0ZXJSYW5nZSk6CisKIDIwMTEtMDItMTAgIEFuZGVycyBDYXJsc3NvbiAgPGFu ZGVyc2NhQGFwcGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBEYW4gQmVybnN0ZWluLgpJ bmRleDogU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9XZWJQYWdlL21hYy9XZWJQYWdlTWFjLm1t Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJLaXQyL1dlYlByb2Nlc3MvV2ViUGFnZS9tYWMvV2Vi UGFnZU1hYy5tbQkocmV2aXNpb24gNzgyODMpCisrKyBTb3VyY2UvV2ViS2l0Mi9XZWJQcm9jZXNz L1dlYlBhZ2UvbWFjL1dlYlBhZ2VNYWMubW0JKHdvcmtpbmcgY29weSkKQEAgLTIzMSwxMCArMjMx LDExIEBAIHZvaWQgV2ViUGFnZTo6Zmlyc3RSZWN0Rm9yQ2hhcmFjdGVyUmFuZ2UKICAgICByZXN1 bHRSZWN0LnNldFNpemUoSW50U2l6ZSgwLCAwKSk7CiAgICAgCiAgICAgUmVmUHRyPFJhbmdlPiBy YW5nZSA9IGNvbnZlcnRUb1JhbmdlKGZyYW1lLCBOU01ha2VSYW5nZShsb2NhdGlvbiwgbGVuZ3Ro KSk7Ci0gICAgaWYgKHJhbmdlKSB7Ci0gICAgICAgIEFTU0VSVChyYW5nZS0+c3RhcnRDb250YWlu ZXIoKSk7Ci0gICAgICAgIEFTU0VSVChyYW5nZS0+ZW5kQ29udGFpbmVyKCkpOwotICAgIH0KKyAg ICBpZiAoIXJhbmdlKQorICAgICAgICByZXR1cm47CisgICAgCisgICAgQVNTRVJUKHJhbmdlLT5z dGFydENvbnRhaW5lcigpKTsKKyAgICBBU1NFUlQocmFuZ2UtPmVuZENvbnRhaW5lcigpKTsKICAg ICAgCiAgICAgSW50UmVjdCByZWN0ID0gZnJhbWUtPmVkaXRvcigpLT5maXJzdFJlY3RGb3JSYW5n ZShyYW5nZS5nZXQoKSk7CiAgICAgcmVzdWx0UmVjdCA9IGZyYW1lLT52aWV3KCktPmNvbnRlbnRz VG9XaW5kb3cocmVjdCk7Cg==